SSL – Webserver


These instructions work so that you can support multiple websites (virtual hosting) and you can use the same cert for your primary website and your email. (only one email can be signed with a cert).

On the webserver:

dnf -y install mod_ssl openssl sasl pem

cd /etc/ssl/

mkdir website.com

cd website.com

mkdir cafile

mkdir csr

mkdir priv-key

mkdir pub-key

mkdir from-networksolutions
openssl req -nodes -newkey rsa:2048 -sha2 -keyout website.key -out website.csr

mv website.csr csr/

mv website.key priv-key

Select the text which you typed in when  creating the csr, and paste it into a txt doc “website-rqst.txt”  and then move the txt file to the directory csr.

Use the cat command to get the csr text, then select it and paste into the box on the registrar’s SSL request form.

You may need to register your company name with Dun and Bradstreet. (You will need this for the next step.) May take some time if you go the free route. (Up to 30 days)

Buy  your SSL cert. This process can take a week or so (They have to verify that you are who you say you are.) Make sure that you give your domain name WITHOUT the www.

As a part of purchasing the SSL cert, you send the CSR to the registrar. You get back a zip file. Save this file in /etc/ssl/website/

Unzip it.

Use your website where I put website.
A. website.crt   => pub-key/WEBSITE.COM.crt
B. AddTrustExternalCARoot.crt.crt  => cafile/
C. DV_NetworkDVSolutions_CA2.crt => cafile/

D. dv_chain.txt=> cafile/dv_chain.crt
E. DV_USERTrustRSACertificationAuthority.crt=> cafile/

Now a few updates to apache configurations

In /etc/httpd/conf/httpd.conf

update the Listen line

Listen 80 443

cd /etc/httpd/conf.d

update the ServerName so that it does not contain “www”

LoadModule ssl_module modules/mod_ssl.so

cd etc/httpd/conf.d

You should find one file here for every domain name that you service.

Update the domain file like this:

<virtualHost *:80>
  ServerName www.website.com
  ServerAlias website.com *.website.com
  DocumentRoot /var/www/website.com
  #SSLEngine on
  SSLCertificateFile  /etc/ssl/website.com/pub-key/WEBSITE.COM.crt
  SSLCertificateKeyFile   /etc/ssl/website.com/priv-key/website.com.key
  SSLCertificateChainFile /etc/ssl/website.com/cafile/dv_chain.crt
  <Directory /var/www/website.com>
        Allowoverride All
  </Directory>
  ErrorLog logs/website.com-error.log
  CustomLog logs/website.com-access.log combined
</VirtualHost>

<virtualHost *:443>
  ServerName www.website.com
  ServerAlias website.com *.website.com
  DocumentRoot /var/www/website.com
  SSLEngine on
  SSLCertificateFile      /etc/ssl/website.com/pub-key/WEBSITE.COM.crt
  SSLCertificateKeyFile   /etc/ssl/website.com/priv-key/website.com.key
  SSLCertificateChainFile /etc/ssl/website.com/cafile/dv_chain.txt
  <Directory /var/www/website.com>
        Allowoverride All
  </Directory>
  ErrorLog logs/website.com-error.log
  CustomLog logs/website.com-access.log combined
</VirtualHost>

Check your permissions on /etc/ssl/website. Make sure that apache can read it. Test and see if selinux throws an exception.

Activate

service httpd stop

service httpd start

 

Up in the country.